MidState Medical Center, in Meriden, Conn., has reported the loss of an external hard drive containing information on 93,500 patients. State law enforcement and consumer protection advocates are also investigating this data breach.
Built in 1998, MidState Medical Center is an affiliate of Hartford HealthCare and serves central Connecticut.
The employee, whom MidState did not name, violated hospital policy by transferring patients' medical data to a hard drive and then bringing it home. Somewhere between the hospital and the employee's home, the hard drive went missing and has not been found.
The individual was an employee of sister facility Hartford Hospital and is no longer employed by the hospital system, Pam Cretella, a spokesperson for MidState, told eWEEK. She was unable to confirm that the employee had been dismissed.
Connecticut Attorney General George Jepsen and Consumer Protection Commissioner William M. Rubenstein have asked MidState for additional information on the breach.
"I strongly believe in protecting the confidentiality of patients' private information," Jepsen said in a statement. "Hospitals, like health insurance companies, have access to very sensitive health and personal information. They have a duty to protect that information from unlawful disclosure."
Patient records on the missing hard drive included names, addresses, dates of birth, marital status and medical record numbers as well as, in some cases, Social Security numbers.
The hospital learned of the breach on Feb. 15 and mailed letters to notify patients almost two months later, on April 5.
Like with most of the recent data breaches, MidState has offered affected patients two years of security through the Debix Identity Protection Network. The hospital also recommended that its patients check their credit reports for fraudulent activity.
In addition to contacting law authorities, the hospital hired a private investigator to look for the hard drive. MidState is also reviewing its security policies and procedures to see how to improve them, according to Cretella.
"We did have policies and procedures in place, but we're going to review them to see if they need to be updated in any way and to educate employees so that they are aware as well," Cretella said.
"Ensuring that companies comply with the law before consumers get hurt is always more effective than trying to protect consumers after a breach," Rubenstein said in a statement. "We will assess the hospitals' security protocols to assure that a system is in place to prevent this kind of breach from happening again."
No evidence indicates that patient information on the hard drive has been used, Cretella stressed.
"Our patients' personal information and their protection is a big priority for us, and we apologize that this happened," Cretella said. "We're taking steps to ensure that something like this doesn't happen again."
The MidState data breach is not the only recent incident involving missing hardware.
On March 14, health insurer Health Net reported the loss of nine server drives containing information on 2 million people, and on Feb. 11 Saint Francis Health System in Oklahoma reported the theft of a PC from an outpatient facility no longer in use.
Meanwhile, on Feb. 23, Henry Ford Health System in Detroit notified the public of a missing flash drive holding information on 2,777 patients. Under its "zero-tolerance policy," Henry Ford threatened to suspend or terminate employees who fail to secure PCs, smartphones or flash drives.